Schooling A Sea of Phish Part 2: Enhanced Anti-spoofing technology in Office 365

Accept the default and be done with it. The defaults are good, they are not weak. Also, coming before the end of Sept will be the enhanced anti-spoof options that until now were only part of ATP/E5 licences (see MC146520 in the tenant Message Center). A default policy will be created automatically that will use machine learning to determine who your users communicate with and block emails from those domains that do not come from the servers that EOP knows it used to come from (i.e. when the domain is being spoofed).

Other than that, you might want to change junk email > junk email folder, so that junk goes to the quarantine, but then it becomes the responsibility of IT to manage the quarantine, and if you are like any other IT organization, you have better things to do that manage the quarantine. You can also optionally have a notification to the user that there is spam to check and they can manage their own quarantine.

The rest of the settings - unless you know you need them, dont change them